forked from envoyproxy/envoy
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Remove JWT headers consumed by Istio authn and mixer filters (envoypr…
…oxy#1364) Automatic merge from submit-queue. Remove JWT headers consumed by Istio authn and mixer filters **What this PR does / why we need it**: This PR removes the JWT headers after they have been consumed by Istio authn and mixer filters. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes envoyproxy#1363 **Special notes for your reviewer**: **Release note**: ```release-note ```
- Loading branch information
Showing
7 changed files
with
165 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -133,6 +133,48 @@ TEST_P(AuthenticationFilterIntegrationTest, CheckValidJwtPassAuthentication) { | |
EXPECT_STREQ("200", response_->headers().Status()->value().c_str()); | ||
} | ||
|
||
TEST_P(AuthenticationFilterIntegrationTest, CheckConsumedJwtHeadersAreRemoved) { | ||
const Envoy::Http::LowerCaseString header_location( | ||
"location-to-read-jwt-result"); | ||
const std::string jwt_header = | ||
R"( | ||
{ | ||
"iss": "[email protected]", | ||
"sub": "[email protected]", | ||
"aud": "aud1", | ||
"non-string-will-be-ignored": 1512754205, | ||
"some-other-string-claims": "some-claims-kept" | ||
} | ||
)"; | ||
std::string jwt_header_base64 = | ||
Base64::encode(jwt_header.c_str(), jwt_header.size()); | ||
Http::TestHeaderMapImpl request_headers_with_jwt_at_specified_location{ | ||
{":method", "GET"}, | ||
{":path", "/"}, | ||
{":authority", "host"}, | ||
{"location-to-read-jwt-result", jwt_header_base64}}; | ||
// In this config, the JWT verification result for "[email protected]" is in the | ||
// header "location-to-read-jwt-result" | ||
createTestServer( | ||
"src/envoy/http/authn/testdata/" | ||
"envoy_jwt_with_output_header_location.conf", | ||
{"http"}); | ||
// The AuthN filter requires JWT and the http request contains validated JWT. | ||
// In this case, the authentication should succeed and an authn result | ||
// should be generated. | ||
codec_client_ = | ||
makeHttpConnection(makeClientConnection((lookupPort("http")))); | ||
codec_client_->makeHeaderOnlyRequest( | ||
request_headers_with_jwt_at_specified_location, *response_); | ||
|
||
// Wait for request to upstream[0] (backend) | ||
waitForNextUpstreamRequest(0); | ||
|
||
// After Istio authn, the JWT headers consumed by Istio authn should have | ||
// been removed. | ||
EXPECT_TRUE(nullptr == upstream_request_->headers().get(header_location)); | ||
} | ||
|
||
TEST_P(AuthenticationFilterIntegrationTest, CheckAuthnResultIsExpected) { | ||
createTestServer( | ||
"src/envoy/http/authn/testdata/envoy_origin_jwt_authn_only.conf", | ||
|
99 changes: 99 additions & 0 deletions
99
src/envoy/http/authn/testdata/envoy_jwt_with_output_header_location.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
{ | ||
"listeners": [ | ||
{ | ||
"address": "tcp://{{ ip_loopback_address }}:0", | ||
"bind_to_port": true, | ||
"filters": [ | ||
{ | ||
"type": "read", | ||
"name": "http_connection_manager", | ||
"config": { | ||
"codec_type": "auto", | ||
"stat_prefix": "ingress_http", | ||
"route_config": { | ||
"virtual_hosts": [ | ||
{ | ||
"name": "backend", | ||
"domains": ["*"], | ||
"routes": [ | ||
{ | ||
"prefix": "/", | ||
"cluster": "backend_service" | ||
} | ||
] | ||
} | ||
] | ||
}, | ||
"access_log": [ | ||
{ | ||
"path": "/dev/null" | ||
} | ||
], | ||
"filters": [ | ||
{ | ||
"type": "decoder", | ||
"name": "istio_authn", | ||
"config": { | ||
"policy": { | ||
"origins": [ | ||
{ | ||
"jwt": { | ||
"issuer": "[email protected]", | ||
"jwks_uri": "http://localhost:8081/" | ||
} | ||
} | ||
] | ||
}, | ||
"jwt_output_payload_locations": { | ||
"[email protected]": "location-to-read-jwt-result" | ||
} | ||
} | ||
}, | ||
{ | ||
"type": "decoder", | ||
"name": "router", | ||
"config": {} | ||
} | ||
] | ||
} | ||
} | ||
] | ||
} | ||
], | ||
"admin": { | ||
"access_log_path": "/dev/null", | ||
"address": "tcp://{{ ip_loopback_address }}:0" | ||
}, | ||
"cluster_manager": { | ||
"clusters": [ | ||
{ | ||
"name": "backend_service", | ||
"connect_timeout_ms": 5000, | ||
"type": "static", | ||
"lb_type": "round_robin", | ||
"hosts": [ | ||
{ | ||
"url": "tcp://{{ ip_loopback_address }}:{{ upstream_0 }}" | ||
} | ||
] | ||
}, | ||
{ | ||
"name": "example_issuer", | ||
"connect_timeout_ms": 5000, | ||
"type": "static", | ||
"circuit_breakers": { | ||
"default": { | ||
"max_pending_requests": 10000, | ||
"max_requests": 10000 | ||
} | ||
}, | ||
"lb_type": "round_robin", | ||
"hosts": [ | ||
{ | ||
"url": "tcp://{{ ip_loopback_address }}:{{ upstream_1 }}" | ||
} | ||
] | ||
} | ||
] | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters